Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 5208fd4293816e0b6f7075fbd14bc4f5642c05ee / . / ssl / test / runner / handshake_client.go
blob: 003aaf44aa079e4dc2beb223f4284dc3d7798479 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
21)
22
23type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]24 c *Conn
25 serverHello *serverHelloMsg
26 hello *clientHelloMsg
27 suite *cipherSuite
28 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]29 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]30 masterSecret []byte
31 session *ClientSessionState
32 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33}
34
35func (c *Conn) clientHandshake() error {
36 if c.config == nil {
37 c.config = defaultConfig()
38 }
39
40 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
41 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
42 }
43
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]44 c.sendHandshakeSeq = 0
45 c.recvHandshakeSeq = 0
46
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]47 nextProtosLength := 0
48 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]49 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]50 return errors.New("tls: invalid NextProtos value")
51 } else {
52 nextProtosLength += 1 + l
53 }
54 }
55 if nextProtosLength > 0xffff {
56 return errors.New("tls: NextProtos values too large")
57 }
58
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]59 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]60 isDTLS: c.isDTLS,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]61 vers: c.config.maxVersion(c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]62 compressionMethods: []uint8{compressionNone},
63 random: make([]byte, 32),
64 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]65 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]66 serverName: c.config.ServerName,
67 supportedCurves: c.config.curvePreferences(),
68 supportedPoints: []uint8{pointFormatUncompressed},
69 nextProtoNeg: len(c.config.NextProtos) > 0,
70 secureRenegotiation: []byte{},
71 alpnProtocols: c.config.NextProtos,
72 duplicateExtension: c.config.Bugs.DuplicateExtension,
73 channelIDSupported: c.config.ChannelID != nil,
74 npnLast: c.config.Bugs.SwapNPNAndALPN,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]75 extendedMasterSecret: c.config.maxVersion(c.isDTLS) >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]76 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
77 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]78 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]79 }
80
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]81 if c.config.Bugs.SendClientVersion != 0 {
82 hello.vers = c.config.Bugs.SendClientVersion
83 }
84
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]85 if c.config.Bugs.NoExtendedMasterSecret {
86 hello.extendedMasterSecret = false
87 }
88
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]89 if c.config.Bugs.NoSupportedCurves {
90 hello.supportedCurves = nil
91 }
92
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]93 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
94 if c.config.Bugs.BadRenegotiationInfo {
95 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
96 hello.secureRenegotiation[0] ^= 0x80
97 } else {
98 hello.secureRenegotiation = c.clientVerify
99 }
100 }
101
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]102 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]103 hello.secureRenegotiation = nil
104 }
105
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]106 var keyShares map[CurveID]ecdhCurve
107 if hello.vers >= VersionTLS13 && enableTLS13Handshake {
108 // Offer every supported curve in the initial ClientHello.
109 //
110 // TODO(davidben): For real code, default to a more conservative
111 // set like P-256 and X25519. Make it configurable for tests to
112 // stress the HelloRetryRequest logic when implemented.
113 keyShares = make(map[CurveID]ecdhCurve)
114 for _, curveID := range hello.supportedCurves {
115 curve, ok := curveForCurveID(curveID)
116 if !ok {
117 continue
118 }
119 publicKey, err := curve.offer(c.config.rand())
120 if err != nil {
121 return err
122 }
123 hello.keyShares = append(hello.keyShares, keyShareEntry{
124 group: curveID,
125 keyExchange: publicKey,
126 })
127 keyShares[curveID] = curve
128 }
129 }
130
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]131 possibleCipherSuites := c.config.cipherSuites()
132 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
133
134NextCipherSuite:
135 for _, suiteId := range possibleCipherSuites {
136 for _, suite := range cipherSuites {
137 if suite.id != suiteId {
138 continue
139 }
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]140 if !c.config.Bugs.EnableAllCiphers {
141 // Don't advertise TLS 1.2-only cipher suites unless
142 // we're attempting TLS 1.2.
143 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
144 continue
145 }
146 // Don't advertise non-DTLS cipher suites in DTLS.
147 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
148 continue
149 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]150 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]151 hello.cipherSuites = append(hello.cipherSuites, suiteId)
152 continue NextCipherSuite
153 }
154 }
155
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]156 if c.config.Bugs.SendRenegotiationSCSV {
157 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
158 }
159
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]160 if c.config.Bugs.SendFallbackSCSV {
161 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
162 }
163
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]164 _, err := io.ReadFull(c.config.rand(), hello.random)
165 if err != nil {
166 c.sendAlert(alertInternalError)
167 return errors.New("tls: short read from Rand: " + err.Error())
168 }
169
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]170 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]171 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172 }
173
174 var session *ClientSessionState
175 var cacheKey string
176 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]177
178 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]179 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]180
181 // Try to resume a previously negotiated TLS session, if
182 // available.
183 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
184 candidateSession, ok := sessionCache.Get(cacheKey)
185 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]186 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
187
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188 // Check that the ciphersuite/version used for the
189 // previous session are still valid.
190 cipherSuiteOk := false
191 for _, id := range hello.cipherSuites {
192 if id == candidateSession.cipherSuite {
193 cipherSuiteOk = true
194 break
195 }
196 }
197
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]198 versOk := candidateSession.vers >= c.config.minVersion(c.isDTLS) &&
199 candidateSession.vers <= c.config.maxVersion(c.isDTLS)
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]200 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201 session = candidateSession
202 }
203 }
204 }
205
206 if session != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]207 if session.sessionTicket != nil {
208 hello.sessionTicket = session.sessionTicket
209 if c.config.Bugs.CorruptTicket {
210 hello.sessionTicket = make([]byte, len(session.sessionTicket))
211 copy(hello.sessionTicket, session.sessionTicket)
212 if len(hello.sessionTicket) > 0 {
213 offset := 40
214 if offset > len(hello.sessionTicket) {
215 offset = len(hello.sessionTicket) - 1
216 }
217 hello.sessionTicket[offset] ^= 0x40
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]218 }
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]219 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]220 // A random session ID is used to detect when the
221 // server accepted the ticket and is resuming a session
222 // (see RFC 5077).
223 sessionIdLen := 16
224 if c.config.Bugs.OversizedSessionId {
225 sessionIdLen = 33
226 }
227 hello.sessionId = make([]byte, sessionIdLen)
228 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
229 c.sendAlert(alertInternalError)
230 return errors.New("tls: short read from Rand: " + err.Error())
231 }
232 } else {
233 hello.sessionId = session.sessionId
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]234 }
235 }
236
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]237 var helloBytes []byte
238 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]239 // Test that the peer left-pads random.
240 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]241 v2Hello := &v2ClientHelloMsg{
242 vers: hello.vers,
243 cipherSuites: hello.cipherSuites,
244 // No session resumption for V2ClientHello.
245 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]246 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]247 }
248 helloBytes = v2Hello.marshal()
249 c.writeV2Record(helloBytes)
250 } else {
251 helloBytes = hello.marshal()
252 c.writeRecord(recordTypeHandshake, helloBytes)
253 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]254 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]255
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]256 if err := c.simulatePacketLoss(nil); err != nil {
257 return err
258 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]259 msg, err := c.readHandshake()
260 if err != nil {
261 return err
262 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]263
264 if c.isDTLS {
265 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
266 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]267 if helloVerifyRequest.vers != VersionTLS10 {
268 // Per RFC 6347, the version field in
269 // HelloVerifyRequest SHOULD be always DTLS
270 // 1.0. Enforce this for testing purposes.
271 return errors.New("dtls: bad HelloVerifyRequest version")
272 }
273
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]274 hello.raw = nil
275 hello.cookie = helloVerifyRequest.cookie
276 helloBytes = hello.marshal()
277 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]278 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]279
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]280 if err := c.simulatePacketLoss(nil); err != nil {
281 return err
282 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]283 msg, err = c.readHandshake()
284 if err != nil {
285 return err
286 }
287 }
288 }
289
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]290 // TODO(davidben): Handle HelloRetryRequest.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]291 serverHello, ok := msg.(*serverHelloMsg)
292 if !ok {
293 c.sendAlert(alertUnexpectedMessage)
294 return unexpectedMessageError(serverHello, msg)
295 }
296
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]297 c.vers, ok = c.config.mutualVersion(serverHello.vers, c.isDTLS)
David Benjamin76d8abe2014-08-14 16:25:34 -0400[diff] [blame]298 if !ok {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]299 c.sendAlert(alertProtocolVersion)
300 return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)
301 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]302 c.haveVers = true
303
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]304 // Check for downgrade signals in the server random, per
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]305 // draft-ietf-tls-tls13-14, section 6.3.1.2.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]306 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]307 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]308 c.sendAlert(alertProtocolVersion)
309 return errors.New("tls: downgrade from TLS 1.3 detected")
310 }
311 }
312 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]313 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]314 c.sendAlert(alertProtocolVersion)
315 return errors.New("tls: downgrade from TLS 1.2 detected")
316 }
317 }
318
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]319 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
320 if suite == nil {
321 c.sendAlert(alertHandshakeFailure)
322 return fmt.Errorf("tls: server selected an unsupported cipher suite")
323 }
324
325 hs := &clientHandshakeState{
326 c: c,
327 serverHello: serverHello,
328 hello: hello,
329 suite: suite,
330 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]331 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]332 session: session,
333 }
334
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]335 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
336 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]337
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]338 if c.vers >= VersionTLS13 && enableTLS13Handshake {
339 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]340 return err
341 }
342 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]343 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
344 hs.establishKeys()
345 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
346 }
347
348 if hs.serverHello.compressionMethod != compressionNone {
349 c.sendAlert(alertUnexpectedMessage)
350 return errors.New("tls: server selected unsupported compression format")
351 }
352
353 err = hs.processServerExtensions(&serverHello.extensions)
354 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]355 return err
356 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]357
358 isResume, err := hs.processServerHello()
359 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]360 return err
361 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]362
363 if isResume {
364 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
365 if err := hs.establishKeys(); err != nil {
366 return err
367 }
368 }
369 if err := hs.readSessionTicket(); err != nil {
370 return err
371 }
372 if err := hs.readFinished(c.firstFinished[:]); err != nil {
373 return err
374 }
375 if err := hs.sendFinished(nil, isResume); err != nil {
376 return err
377 }
378 } else {
379 if err := hs.doFullHandshake(); err != nil {
380 return err
381 }
382 if err := hs.establishKeys(); err != nil {
383 return err
384 }
385 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
386 return err
387 }
388 // Most retransmits are triggered by a timeout, but the final
389 // leg of the handshake is retransmited upon re-receiving a
390 // Finished.
391 if err := c.simulatePacketLoss(func() {
392 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
393 c.flushHandshake()
394 }); err != nil {
395 return err
396 }
397 if err := hs.readSessionTicket(); err != nil {
398 return err
399 }
400 if err := hs.readFinished(nil); err != nil {
401 return err
402 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]403 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]404
405 if sessionCache != nil && hs.session != nil && session != hs.session {
406 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
407 return errors.New("tls: new session used session IDs instead of tickets")
408 }
409 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]410 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]411
412 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]413 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]414 }
415
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]416 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]417 c.cipherSuite = suite
418 copy(c.clientRandom[:], hs.hello.random)
419 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]420
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]421 return nil
422}
423
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]424func (hs *clientHandshakeState) doTLS13Handshake() error {
425 c := hs.c
426
427 // Once the PRF hash is known, TLS 1.3 does not require a handshake
428 // buffer.
429 hs.finishedHash.discardHandshakeBuffer()
430
431 zeroSecret := hs.finishedHash.zeroSecret()
432
433 // Resolve PSK and compute the early secret.
434 //
435 // TODO(davidben): This will need to be handled slightly earlier once
436 // 0-RTT is implemented.
437 var psk []byte
438 if hs.suite.flags&suitePSK != 0 {
439 if !hs.serverHello.hasPSKIdentity {
440 c.sendAlert(alertMissingExtension)
441 return errors.New("tls: server omitted the PSK identity extension")
442 }
443
444 // TODO(davidben): Support PSK ciphers and PSK resumption. Set
445 // the resumption context appropriately if resuming.
446 return errors.New("tls: PSK ciphers not implemented for TLS 1.3")
447 } else {
448 if hs.serverHello.hasPSKIdentity {
449 c.sendAlert(alertUnsupportedExtension)
450 return errors.New("tls: server sent unexpected PSK identity")
451 }
452
453 psk = zeroSecret
454 hs.finishedHash.setResumptionContext(zeroSecret)
455 }
456
457 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
458
459 // Resolve ECDHE and compute the handshake secret.
460 var ecdheSecret []byte
461 if hs.suite.flags&suiteECDHE != 0 {
462 if !hs.serverHello.hasKeyShare {
463 c.sendAlert(alertMissingExtension)
464 return errors.New("tls: server omitted the key share extension")
465 }
466
467 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
468 if !ok {
469 c.sendAlert(alertHandshakeFailure)
470 return errors.New("tls: server selected an unsupported group")
471 }
472
473 var err error
474 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
475 if err != nil {
476 return err
477 }
478 } else {
479 if hs.serverHello.hasKeyShare {
480 c.sendAlert(alertUnsupportedExtension)
481 return errors.New("tls: server sent unexpected key share extension")
482 }
483
484 ecdheSecret = zeroSecret
485 }
486
487 // Compute the handshake secret.
488 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
489
490 // Switch to handshake traffic keys.
491 handshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, handshakeTrafficLabel)
492 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, clientWrite), c.vers)
493 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, serverWrite), c.vers)
494
495 msg, err := c.readHandshake()
496 if err != nil {
497 return err
498 }
499
500 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
501 if !ok {
502 c.sendAlert(alertUnexpectedMessage)
503 return unexpectedMessageError(encryptedExtensions, msg)
504 }
505 hs.writeServerHash(encryptedExtensions.marshal())
506
507 err = hs.processServerExtensions(&encryptedExtensions.extensions)
508 if err != nil {
509 return err
510 }
511
512 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]513 var certReq *certificateRequestMsg
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]514 if hs.suite.flags&suitePSK != 0 {
515 if encryptedExtensions.extensions.ocspResponse != nil {
516 c.sendAlert(alertUnsupportedExtension)
517 return errors.New("tls: server sent OCSP response without a certificate")
518 }
519 if encryptedExtensions.extensions.sctList != nil {
520 c.sendAlert(alertUnsupportedExtension)
521 return errors.New("tls: server sent SCT list without a certificate")
522 }
523 } else {
524 c.ocspResponse = encryptedExtensions.extensions.ocspResponse
525 c.sctList = encryptedExtensions.extensions.sctList
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]526
527 msg, err := c.readHandshake()
528 if err != nil {
529 return err
530 }
531
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]532 var ok bool
533 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]534 if ok {
535 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]536
537 chainToSend, err = selectClientCertificate(c, certReq)
538 if err != nil {
539 return err
540 }
541
542 msg, err = c.readHandshake()
543 if err != nil {
544 return err
545 }
546 }
547
548 certMsg, ok := msg.(*certificateMsg)
549 if !ok {
550 c.sendAlert(alertUnexpectedMessage)
551 return unexpectedMessageError(certMsg, msg)
552 }
553 hs.writeServerHash(certMsg.marshal())
554
555 if err := hs.verifyCertificates(certMsg); err != nil {
556 return err
557 }
558 leaf := c.peerCertificates[0]
559
560 msg, err = c.readHandshake()
561 if err != nil {
562 return err
563 }
564 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
565 if !ok {
566 c.sendAlert(alertUnexpectedMessage)
567 return unexpectedMessageError(certVerifyMsg, msg)
568 }
569
David Benjaminf74ec792016-07-13 21:18:49 -0400[diff] [blame]570 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]571 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]572 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]573 if err != nil {
574 return err
575 }
576
577 hs.writeServerHash(certVerifyMsg.marshal())
578 }
579
580 msg, err = c.readHandshake()
581 if err != nil {
582 return err
583 }
584 serverFinished, ok := msg.(*finishedMsg)
585 if !ok {
586 c.sendAlert(alertUnexpectedMessage)
587 return unexpectedMessageError(serverFinished, msg)
588 }
589
590 verify := hs.finishedHash.serverSum(handshakeTrafficSecret)
591 if len(verify) != len(serverFinished.verifyData) ||
592 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
593 c.sendAlert(alertHandshakeFailure)
594 return errors.New("tls: server's Finished message was incorrect")
595 }
596
597 hs.writeServerHash(serverFinished.marshal())
598
599 // The various secrets do not incorporate the client's final leg, so
600 // derive them now before updating the handshake context.
601 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
602 trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
603
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]604 if certReq != nil {
605 certMsg := &certificateMsg{
606 hasRequestContext: true,
607 requestContext: certReq.requestContext,
608 }
609 if chainToSend != nil {
610 certMsg.certificates = chainToSend.Certificate
611 }
612 hs.writeClientHash(certMsg.marshal())
613 c.writeRecord(recordTypeHandshake, certMsg.marshal())
614
615 if chainToSend != nil {
616 certVerify := &certificateVerifyMsg{
617 hasSignatureAlgorithm: true,
618 }
619
620 // Determine the hash to sign.
621 privKey := chainToSend.PrivateKey
622
623 var err error
624 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
625 if err != nil {
626 c.sendAlert(alertInternalError)
627 return err
628 }
629
630 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
631 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
632 if err != nil {
633 c.sendAlert(alertInternalError)
634 return err
635 }
636
637 hs.writeClientHash(certVerify.marshal())
638 c.writeRecord(recordTypeHandshake, certVerify.marshal())
639 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]640 }
641
642 // Send a client Finished message.
643 finished := new(finishedMsg)
644 finished.verifyData = hs.finishedHash.clientSum(handshakeTrafficSecret)
645 if c.config.Bugs.BadFinished {
646 finished.verifyData[0]++
647 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]648 hs.writeClientHash(finished.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]649 c.writeRecord(recordTypeHandshake, finished.marshal())
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]650 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]651
652 // Switch to application data keys.
653 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite), c.vers)
654 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
655
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]656 // TODO(davidben): Derive and save the resumption master secret for receiving tickets.
657 // TODO(davidben): Save the traffic secret for KeyUpdate.
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]658 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]659 return nil
660}
661
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]662func (hs *clientHandshakeState) doFullHandshake() error {
663 c := hs.c
664
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]665 var leaf *x509.Certificate
666 if hs.suite.flags&suitePSK == 0 {
667 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]668 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]669 return err
670 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]671
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]672 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]673 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]674 c.sendAlert(alertUnexpectedMessage)
675 return unexpectedMessageError(certMsg, msg)
676 }
677 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]678
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]679 if err := hs.verifyCertificates(certMsg); err != nil {
680 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]681 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]682 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]683 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]684
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]685 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]686 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]687 if err != nil {
688 return err
689 }
690 cs, ok := msg.(*certificateStatusMsg)
691 if !ok {
692 c.sendAlert(alertUnexpectedMessage)
693 return unexpectedMessageError(cs, msg)
694 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]695 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]696
697 if cs.statusType == statusTypeOCSP {
698 c.ocspResponse = cs.response
699 }
700 }
701
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]702 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]703 if err != nil {
704 return err
705 }
706
707 keyAgreement := hs.suite.ka(c.vers)
708
709 skx, ok := msg.(*serverKeyExchangeMsg)
710 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]711 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]712 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]713 if err != nil {
714 c.sendAlert(alertUnexpectedMessage)
715 return err
716 }
717
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]718 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
719
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]720 msg, err = c.readHandshake()
721 if err != nil {
722 return err
723 }
724 }
725
726 var chainToSend *Certificate
727 var certRequested bool
728 certReq, ok := msg.(*certificateRequestMsg)
729 if ok {
730 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]731 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
732 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
733 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]735 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]736
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]737 chainToSend, err = selectClientCertificate(c, certReq)
738 if err != nil {
739 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]740 }
741
742 msg, err = c.readHandshake()
743 if err != nil {
744 return err
745 }
746 }
747
748 shd, ok := msg.(*serverHelloDoneMsg)
749 if !ok {
750 c.sendAlert(alertUnexpectedMessage)
751 return unexpectedMessageError(shd, msg)
752 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]753 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]754
755 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]756 // Certificate message in TLS, even if it's empty because we don't have
757 // a certificate to send. In SSL 3.0, skip the message and send a
758 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]759 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]760 if c.vers == VersionSSL30 && chainToSend == nil {
761 c.sendAlert(alertNoCertficate)
762 } else if !c.config.Bugs.SkipClientCertificate {
763 certMsg := new(certificateMsg)
764 if chainToSend != nil {
765 certMsg.certificates = chainToSend.Certificate
766 }
767 hs.writeClientHash(certMsg.marshal())
768 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]769 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]770 }
771
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]772 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]773 if err != nil {
774 c.sendAlert(alertInternalError)
775 return err
776 }
777 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]778 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]779 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]780 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]781 c.writeRecord(recordTypeHandshake, ckx.marshal())
782 }
783
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]784 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]785 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
786 c.extendedMasterSecret = true
787 } else {
788 if c.config.Bugs.RequireExtendedMasterSecret {
789 return errors.New("tls: extended master secret required but not supported by peer")
790 }
791 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
792 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]793
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]794 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]795 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]796 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]797 }
798
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]799 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]800 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]801
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]802 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]803 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]804 if err != nil {
805 c.sendAlert(alertInternalError)
806 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]807 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]808 }
809
810 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame^]811 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]812 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
813 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
814 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]815 } else {
816 // SSL 3.0's client certificate construction is
817 // incompatible with signatureAlgorithm.
818 rsaKey, ok := privKey.(*rsa.PrivateKey)
819 if !ok {
820 err = errors.New("unsupported signature type for client certificate")
821 } else {
822 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame^]823 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]824 digest[0] ^= 0x80
825 }
826 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
827 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]828 }
829 if err != nil {
830 c.sendAlert(alertInternalError)
831 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
832 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]833
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]834 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]835 c.writeRecord(recordTypeHandshake, certVerify.marshal())
836 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]837 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]839 hs.finishedHash.discardHandshakeBuffer()
840
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]841 return nil
842}
843
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]844func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
845 c := hs.c
846
847 if len(certMsg.certificates) == 0 {
848 c.sendAlert(alertIllegalParameter)
849 return errors.New("tls: no certificates sent")
850 }
851
852 certs := make([]*x509.Certificate, len(certMsg.certificates))
853 for i, asn1Data := range certMsg.certificates {
854 cert, err := x509.ParseCertificate(asn1Data)
855 if err != nil {
856 c.sendAlert(alertBadCertificate)
857 return errors.New("tls: failed to parse certificate from server: " + err.Error())
858 }
859 certs[i] = cert
860 }
861
862 if !c.config.InsecureSkipVerify {
863 opts := x509.VerifyOptions{
864 Roots: c.config.RootCAs,
865 CurrentTime: c.config.time(),
866 DNSName: c.config.ServerName,
867 Intermediates: x509.NewCertPool(),
868 }
869
870 for i, cert := range certs {
871 if i == 0 {
872 continue
873 }
874 opts.Intermediates.AddCert(cert)
875 }
876 var err error
877 c.verifiedChains, err = certs[0].Verify(opts)
878 if err != nil {
879 c.sendAlert(alertBadCertificate)
880 return err
881 }
882 }
883
884 switch certs[0].PublicKey.(type) {
885 case *rsa.PublicKey, *ecdsa.PublicKey:
886 break
887 default:
888 c.sendAlert(alertUnsupportedCertificate)
889 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
890 }
891
892 c.peerCertificates = certs
893 return nil
894}
895
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]896func (hs *clientHandshakeState) establishKeys() error {
897 c := hs.c
898
899 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]900 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]901 var clientCipher, serverCipher interface{}
902 var clientHash, serverHash macFunction
903 if hs.suite.cipher != nil {
904 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
905 clientHash = hs.suite.mac(c.vers, clientMAC)
906 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
907 serverHash = hs.suite.mac(c.vers, serverMAC)
908 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]909 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
910 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]911 }
912
913 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
914 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
915 return nil
916}
917
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]918func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
919 c := hs.c
920
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]921 if c.vers < VersionTLS13 || !enableTLS13Handshake {
922 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
923 return errors.New("tls: renegotiation extension missing")
924 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]925
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]926 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
927 var expectedRenegInfo []byte
928 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
929 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
930 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
931 c.sendAlert(alertHandshakeFailure)
932 return fmt.Errorf("tls: renegotiation mismatch")
933 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]934 }
935 }
936
937 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
938 if serverExtensions.customExtension != *expected {
939 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
940 }
941 }
942
943 clientDidNPN := hs.hello.nextProtoNeg
944 clientDidALPN := len(hs.hello.alpnProtocols) > 0
945 serverHasNPN := serverExtensions.nextProtoNeg
946 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
947
948 if !clientDidNPN && serverHasNPN {
949 c.sendAlert(alertHandshakeFailure)
950 return errors.New("server advertised unrequested NPN extension")
951 }
952
953 if !clientDidALPN && serverHasALPN {
954 c.sendAlert(alertHandshakeFailure)
955 return errors.New("server advertised unrequested ALPN extension")
956 }
957
958 if serverHasNPN && serverHasALPN {
959 c.sendAlert(alertHandshakeFailure)
960 return errors.New("server advertised both NPN and ALPN extensions")
961 }
962
963 if serverHasALPN {
964 c.clientProtocol = serverExtensions.alpnProtocol
965 c.clientProtocolFallback = false
966 c.usedALPN = true
967 }
968
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]969 if serverHasNPN && c.vers >= VersionTLS13 && enableTLS13Handshake {
970 c.sendAlert(alertHandshakeFailure)
971 return errors.New("server advertised NPN over TLS 1.3")
972 }
973
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]974 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
975 c.sendAlert(alertHandshakeFailure)
976 return errors.New("server advertised unrequested Channel ID extension")
977 }
978
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]979 if serverExtensions.channelIDRequested && c.vers >= VersionTLS13 && enableTLS13Handshake {
980 c.sendAlert(alertHandshakeFailure)
981 return errors.New("server advertised Channel ID over TLS 1.3")
982 }
983
David Benjamine9077652016-07-13 21:02:08 -0400[diff] [blame]984 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 && enableTLS13Handshake {
985 return errors.New("tls: server advertised extended master secret over TLS 1.3")
986 }
987
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]988 if serverExtensions.srtpProtectionProfile != 0 {
989 if serverExtensions.srtpMasterKeyIdentifier != "" {
990 return errors.New("tls: server selected SRTP MKI value")
991 }
992
993 found := false
994 for _, p := range c.config.SRTPProtectionProfiles {
995 if p == serverExtensions.srtpProtectionProfile {
996 found = true
997 break
998 }
999 }
1000 if !found {
1001 return errors.New("tls: server advertised unsupported SRTP profile")
1002 }
1003
1004 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1005 }
1006
1007 return nil
1008}
1009
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1010func (hs *clientHandshakeState) serverResumedSession() bool {
1011 // If the server responded with the same sessionId then it means the
1012 // sessionTicket is being used to resume a TLS session.
1013 return hs.session != nil && hs.hello.sessionId != nil &&
1014 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1015}
1016
1017func (hs *clientHandshakeState) processServerHello() (bool, error) {
1018 c := hs.c
1019
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1020 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1021 // For test purposes, assert that the server never accepts the
1022 // resumption offer on renegotiation.
1023 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1024 return false, errors.New("tls: server resumed session on renegotiation")
1025 }
1026
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1027 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1028 return false, errors.New("tls: server sent SCT extension on session resumption")
1029 }
1030
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1031 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1032 return false, errors.New("tls: server sent OCSP extension on session resumption")
1033 }
1034
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1035 // Restore masterSecret and peerCerts from previous state
1036 hs.masterSecret = hs.session.masterSecret
1037 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1038 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1039 c.sctList = hs.session.sctList
1040 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1041 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1042 return true, nil
1043 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1044
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1045 if hs.serverHello.extensions.sctList != nil {
1046 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1047 }
1048
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1049 return false, nil
1050}
1051
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1052func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1053 c := hs.c
1054
1055 c.readRecord(recordTypeChangeCipherSpec)
1056 if err := c.in.error(); err != nil {
1057 return err
1058 }
1059
1060 msg, err := c.readHandshake()
1061 if err != nil {
1062 return err
1063 }
1064 serverFinished, ok := msg.(*finishedMsg)
1065 if !ok {
1066 c.sendAlert(alertUnexpectedMessage)
1067 return unexpectedMessageError(serverFinished, msg)
1068 }
1069
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1070 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1071 verify := hs.finishedHash.serverSum(hs.masterSecret)
1072 if len(verify) != len(serverFinished.verifyData) ||
1073 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1074 c.sendAlert(alertHandshakeFailure)
1075 return errors.New("tls: server's Finished message was incorrect")
1076 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1077 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1078 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1079 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1080 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081 return nil
1082}
1083
1084func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1085 c := hs.c
1086
1087 // Create a session with no server identifier. Either a
1088 // session ID or session ticket will be attached.
1089 session := &ClientSessionState{
1090 vers: c.vers,
1091 cipherSuite: hs.suite.id,
1092 masterSecret: hs.masterSecret,
1093 handshakeHash: hs.finishedHash.server.Sum(nil),
1094 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1095 sctList: c.sctList,
1096 ocspResponse: c.ocspResponse,
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1097 }
1098
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1099 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1100 if c.config.Bugs.ExpectNewTicket {
1101 return errors.New("tls: expected new ticket")
1102 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1103 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1104 session.sessionId = hs.serverHello.sessionId
1105 hs.session = session
1106 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 return nil
1108 }
1109
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1110 if c.vers == VersionSSL30 {
1111 return errors.New("tls: negotiated session tickets in SSL 3.0")
1112 }
1113
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1114 msg, err := c.readHandshake()
1115 if err != nil {
1116 return err
1117 }
1118 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1119 if !ok {
1120 c.sendAlert(alertUnexpectedMessage)
1121 return unexpectedMessageError(sessionTicketMsg, msg)
1122 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1123
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1124 session.sessionTicket = sessionTicketMsg.ticket
1125 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1126
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1127 hs.writeServerHash(sessionTicketMsg.marshal())
1128
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1129 return nil
1130}
1131
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1132func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1133 c := hs.c
1134
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1135 var postCCSBytes []byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1136 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1137 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1138 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1139 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1140 nextProto.proto = proto
1141 c.clientProtocol = proto
1142 c.clientProtocolFallback = fallback
1143
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1144 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1145 hs.writeHash(nextProtoBytes, seqno)
1146 seqno++
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1147 postCCSBytes = append(postCCSBytes, nextProtoBytes...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1148 }
1149
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1150 if hs.serverHello.extensions.channelIDRequested {
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1151 channelIDMsg := new(channelIDMsg)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1152 if c.config.ChannelID.Curve != elliptic.P256() {
1153 return fmt.Errorf("tls: Channel ID is not on P-256.")
1154 }
1155 var resumeHash []byte
1156 if isResume {
1157 resumeHash = hs.session.handshakeHash
1158 }
1159 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
1160 if err != nil {
1161 return err
1162 }
1163 channelID := make([]byte, 128)
1164 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1165 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1166 writeIntPadded(channelID[64:96], r)
1167 writeIntPadded(channelID[96:128], s)
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1168 channelIDMsg.channelID = channelID
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1169
1170 c.channelID = &c.config.ChannelID.PublicKey
1171
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1172 channelIDMsgBytes := channelIDMsg.marshal()
1173 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1174 seqno++
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1175 postCCSBytes = append(postCCSBytes, channelIDMsgBytes...)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1176 }
1177
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1178 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1179 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1180 finished.verifyData = hs.finishedHash.clientSum(nil)
1181 } else {
1182 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1183 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1184 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1185 if c.config.Bugs.BadFinished {
1186 finished.verifyData[0]++
1187 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1188 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1189 hs.finishedBytes = finished.marshal()
1190 hs.writeHash(hs.finishedBytes, seqno)
1191 postCCSBytes = append(postCCSBytes, hs.finishedBytes...)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1192
1193 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
1194 c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
1195 postCCSBytes = postCCSBytes[5:]
1196 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1197 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1198
1199 if !c.config.Bugs.SkipChangeCipherSpec &&
1200 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1201 ccs := []byte{1}
1202 if c.config.Bugs.BadChangeCipherSpec != nil {
1203 ccs = c.config.Bugs.BadChangeCipherSpec
1204 }
1205 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1206 }
1207
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1208 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1209 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1210 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1211 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1212 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1213 return errors.New("tls: simulating post-CCS alert")
1214 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1215
David Benjaminb80168e2015-02-08 18:30:14 -0500[diff] [blame]1216 if !c.config.Bugs.SkipFinished {
1217 c.writeRecord(recordTypeHandshake, postCCSBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1218 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1219 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1220 return nil
1221}
1222
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1223func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1224 // writeClientHash is called before writeRecord.
1225 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1226}
1227
1228func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1229 // writeServerHash is called after readHandshake.
1230 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1231}
1232
1233func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1234 if hs.c.isDTLS {
1235 // This is somewhat hacky. DTLS hashes a slightly different format.
1236 // First, the TLS header.
1237 hs.finishedHash.Write(msg[:4])
1238 // Then the sequence number and reassembled fragment offset (always 0).
1239 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1240 // Then the reassembled fragment (always equal to the message length).
1241 hs.finishedHash.Write(msg[1:4])
1242 // And then the message body.
1243 hs.finishedHash.Write(msg[4:])
1244 } else {
1245 hs.finishedHash.Write(msg)
1246 }
1247}
1248
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1249// selectClientCertificate selects a certificate for use with the given
1250// certificate, or none if none match. It may return a particular certificate or
1251// nil on success, or an error on internal error.
1252func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1253 // RFC 4346 on the certificateAuthorities field:
1254 // A list of the distinguished names of acceptable certificate
1255 // authorities. These distinguished names may specify a desired
1256 // distinguished name for a root CA or for a subordinate CA; thus, this
1257 // message can be used to describe both known roots and a desired
1258 // authorization space. If the certificate_authorities list is empty
1259 // then the client MAY send any certificate of the appropriate
1260 // ClientCertificateType, unless there is some external arrangement to
1261 // the contrary.
1262
1263 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1264 if !certReq.hasRequestContext {
1265 for _, certType := range certReq.certificateTypes {
1266 switch certType {
1267 case CertTypeRSASign:
1268 rsaAvail = true
1269 case CertTypeECDSASign:
1270 ecdsaAvail = true
1271 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1272 }
1273 }
1274
1275 // We need to search our list of client certs for one
1276 // where SignatureAlgorithm is RSA and the Issuer is in
1277 // certReq.certificateAuthorities
1278findCert:
1279 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1280 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1281 continue
1282 }
1283
1284 // Ensure the private key supports one of the advertised
1285 // signature algorithms.
1286 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1287 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1288 continue
1289 }
1290 }
1291
1292 for j, cert := range chain.Certificate {
1293 x509Cert := chain.Leaf
1294 // parse the certificate if this isn't the leaf
1295 // node, or if chain.Leaf was nil
1296 if j != 0 || x509Cert == nil {
1297 var err error
1298 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1299 c.sendAlert(alertInternalError)
1300 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1301 }
1302 }
1303
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1304 if !certReq.hasRequestContext {
1305 switch {
1306 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1307 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1308 default:
1309 continue findCert
1310 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1311 }
1312
1313 if len(certReq.certificateAuthorities) == 0 {
1314 // They gave us an empty list, so just take the
1315 // first certificate of valid type from
1316 // c.config.Certificates.
1317 return &chain, nil
1318 }
1319
1320 for _, ca := range certReq.certificateAuthorities {
1321 if bytes.Equal(x509Cert.RawIssuer, ca) {
1322 return &chain, nil
1323 }
1324 }
1325 }
1326 }
1327
1328 return nil, nil
1329}
1330
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1331// clientSessionCacheKey returns a key used to cache sessionTickets that could
1332// be used to resume previously negotiated TLS sessions with a server.
1333func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1334 if len(config.ServerName) > 0 {
1335 return config.ServerName
1336 }
1337 return serverAddr.String()
1338}
1339
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1340// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1341// given list of possible protocols and a list of the preference order. The
1342// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1343// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1344func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1345 for _, s := range preferenceProtos {
1346 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1347 if s == c {
1348 return s, false
1349 }
1350 }
1351 }
1352
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1353 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1354}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1355
1356// writeIntPadded writes x into b, padded up with leading zeros as
1357// needed.
1358func writeIntPadded(b []byte, x *big.Int) {
1359 for i := range b {
1360 b[i] = 0
1361 }
1362 xb := x.Bytes()
1363 copy(b[len(b)-len(xb):], xb)
1364}